Difference between revisions of "LancsXrd"
From GridPP Wiki
(→authdb) |
|||
Line 17: | Line 17: | ||
<pre> | <pre> | ||
# cat /etc/xrootd/xrootd-server.cfg | # cat /etc/xrootd/xrootd-server.cfg | ||
− | ## | + | ##basics |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | |||
all.export /cephfs/grid | all.export /cephfs/grid | ||
− | all.sitename | + | all.sitename UKI_NORTHGRID_LANCS_HEP |
− | + | ||
− | + | ||
− | + | ||
all.adminpath /var/spool/xrootd | all.adminpath /var/spool/xrootd | ||
− | all.pidpath /run/xrootd | + | all.pidpath /var/run/xrootd |
− | # | + | #checksum - prob safe |
xrootd.chksum adler32 | xrootd.chksum adler32 | ||
− | # | + | #logging |
− | + | all.trace all | |
− | #auth stuff largely from Sam | + | ## auth stuff |
+ | #largely from Sam | ||
xrootd.seclib /usr/lib64/libXrdSec.so | xrootd.seclib /usr/lib64/libXrdSec.so | ||
sec.protocol /lib64 gsi -certdir:/etc/grid-security/certificates \ | sec.protocol /lib64 gsi -certdir:/etc/grid-security/certificates \ | ||
Line 56: | Line 41: | ||
-gmapopt:10 -gmapto:0 \ | -gmapopt:10 -gmapto:0 \ | ||
-vomsat:extract -vomsfun:libXrdVoms.so | -vomsat:extract -vomsfun:libXrdVoms.so | ||
− | + | #point to our authdb | |
acc.authdb /etc/grid-security/authdb | acc.authdb /etc/grid-security/authdb | ||
ofs.authorize | ofs.authorize | ||
− | # | + | # Config TLS |
+ | #from https://xrootd-howto.readthedocs.io/en/latest/tpc/#an-example-of-wlcg-tpc-configuration-with-x509-authentication | ||
+ | xrd.tls /etc/grid-security/xrdcert.pem /etc/grid-security/xrdkey.pem | ||
+ | xrd.tlsca certdir /etc/grid-security/certificates | ||
+ | #xrootd.tls capable all | ||
− | |||
− | |||
− | |||
− | # | + | #xrd tpc just in case |
− | + | ofs.tpc cksum adler32 fcreds ?gsi =X509_USER_PROXY autorm xfr 40 pgm /etc/xrootd/xrdcp-tpc.sh | |
+ | ## http stuff | ||
− | #http | + | #kick off xroot http, on 1094 |
− | + | if exec xrootd | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
xrd.protocol http:1094 /usr/lib64/libXrdHttp.so | xrd.protocol http:1094 /usr/lib64/libXrdHttp.so | ||
− | + | fi | |
− | + | http.selfhttps2http no | |
− | |||
− | # | + | #from James |
− | + | http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt | |
− | http. | + | |
− | http | + | |
− | + | ||
− | + | ||
− | + | ||
− | # | + | # Require the use of the xrd.tls certificates (alternative is to use manual) |
− | http. | + | http.httpsmode auto |
− | http. | + | |
− | + | ##old way from first config, if above set to manual | |
+ | #http.cadir /etc/grid-security/certificates | ||
+ | #http.cert /etc/grid-security/xrdcert.pem | ||
+ | #http.key /etc/grid-security/xrdkey.pem | ||
+ | |||
+ | |||
+ | # HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy | ||
+ | http.secxtractor libXrdVoms.so | ||
+ | http.exthandler xrdtpc libXrdHttpTPC.so | ||
+ | http.header2cgi Authorization authz | ||
+ | |||
+ | # Please install libmacaroons rpm from EPEL. | ||
+ | # Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support | ||
+ | http.exthandler xrdmacaroons libXrdMacaroons.so | ||
+ | |||
+ | # secret generated using openssl rand -base64 -out /etc/xrootd/macaroon-secret 64, owned xroot, chown 440 | ||
+ | macaroons.secretkey /etc/xrootd/macaroon-secret | ||
+ | |||
+ | ## token stuff | ||
+ | ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg | ||
+ | ofs.authlib ++ libXrdMacaroons.so | ||
+ | |||
</pre> | </pre> | ||
Line 132: | Line 130: | ||
x xatlasukusr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lrw /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr | x xatlasukusr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lrw /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr | ||
x xatlasusr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr | x xatlasusr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr | ||
− | x xopsuser /cephfs/grid/ops | + | x xopsuser /cephfs/grid/ops a /cepfs/grid/srr lr |
x xwlcguser /cephfs/grid/wlcg a /cepfs/grid/srr lr | x xwlcguser /cephfs/grid/wlcg a /cepfs/grid/srr lr | ||
x wlcgtknusr /cephfs/grid/wlcg a /cepfs/grid/srr lr | x wlcgtknusr /cephfs/grid/wlcg a /cepfs/grid/srr lr |
Latest revision as of 11:10, 17 February 2022
Contents
Lancaster Xroot Server setup
Useful Pages
(list in progress)
https://twiki.cern.ch/twiki/bin/view/AtlasComputing/StorageSetUp#Recommendation
(new) https://xrootd-howto.readthedocs.io/en/latest/
https://wlcg-authz-wg.github.io/wlcg-authz-docs/token-based-authorization/configuration/xrootd/
Configs
main config
starting with systemctl start xrootd@server, puts https on port 1094 too
# cat /etc/xrootd/xrootd-server.cfg ##basics all.export /cephfs/grid all.sitename UKI_NORTHGRID_LANCS_HEP all.adminpath /var/spool/xrootd all.pidpath /var/run/xrootd #checksum - prob safe xrootd.chksum adler32 #logging all.trace all ## auth stuff #largely from Sam xrootd.seclib /usr/lib64/libXrdSec.so sec.protocol /lib64 gsi -certdir:/etc/grid-security/certificates \ -cert:/etc/grid-security/xrdcert.pem \ -key:/etc/grid-security/xrdkey.pem \ -crl:1 \ -authzfun:libXrdSecgsiAUTHZVO.so \ -gmapopt:10 -gmapto:0 \ -vomsat:extract -vomsfun:libXrdVoms.so #point to our authdb acc.authdb /etc/grid-security/authdb ofs.authorize # Config TLS #from https://xrootd-howto.readthedocs.io/en/latest/tpc/#an-example-of-wlcg-tpc-configuration-with-x509-authentication xrd.tls /etc/grid-security/xrdcert.pem /etc/grid-security/xrdkey.pem xrd.tlsca certdir /etc/grid-security/certificates #xrootd.tls capable all #xrd tpc just in case ofs.tpc cksum adler32 fcreds ?gsi =X509_USER_PROXY autorm xfr 40 pgm /etc/xrootd/xrdcp-tpc.sh ## http stuff #kick off xroot http, on 1094 if exec xrootd xrd.protocol http:1094 /usr/lib64/libXrdHttp.so fi http.selfhttps2http no #from James http.staticpreload http://static/robots.txt /etc/xrootd/robots.txt # Require the use of the xrd.tls certificates (alternative is to use manual) http.httpsmode auto ##old way from first config, if above set to manual #http.cadir /etc/grid-security/certificates #http.cert /etc/grid-security/xrdcert.pem #http.key /etc/grid-security/xrdkey.pem # HTTP TPC, see https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Enable_Third_Party_Copy http.secxtractor libXrdVoms.so http.exthandler xrdtpc libXrdHttpTPC.so http.header2cgi Authorization authz # Please install libmacaroons rpm from EPEL. # Macaroons support, see: https://twiki.cern.ch/twiki/bin/view/Main/XRootDoverHTTP#Macaroons_Support http.exthandler xrdmacaroons libXrdMacaroons.so # secret generated using openssl rand -base64 -out /etc/xrootd/macaroon-secret 64, owned xroot, chown 440 macaroons.secretkey /etc/xrootd/macaroon-secret ## token stuff ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg ofs.authlib ++ libXrdMacaroons.so
notes
The path needs to be writable by the xroot user. If it isn't it will protest and fail on startup.
authdb
/etc/grid-security/certificates, fetch-crl, vomsdir set up as normal.
# cat /etc/grid-security/authdb ### Define users ## o - organisation/VO r - role g - group #test users = xgridppusr o: gridpp = xdteamusr o: dteam = xopsuser o: ops = xwlcguser o: wlcg = wlcgtknusr o: https://wlcg.cloud.cnaf.infn.it/ g: /wlcg #atlas = xatlasprd o: atlas r: production = xatlasplt o: atlas r: pilot = xatlasukprd o: atlas r: production g: uk = xatlasukusr o: atlas g: uk = xatlasusr o: atlas #hyperk = xhyperkprd o: hyperk.org r: production = xhyperkusr o: hyperk.org ### Define acceses ## a - all-rights l - list (don't forget) r - read w - write x xgridppusr /cephfs/grid/gridpp a /cepfs/grid/srr lr x xdteamusr /cephfs/grid/dteam a /cephfs/grid/wlcg a /cepfs/grid/srr lr x xatlasprd /cephfs/grid/atlas a /cepfs/grid/srr lr x xatlasplt /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr x xatlasukprd /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk a /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr x xatlasukusr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlaslocalgroupdisk lrw /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr x xatlasusr /cephfs/grid/atlas/atlaslocalgroupdisk lr /cephfs/grid/atlas/atlasdatadisk lr /cephfs/grid/atlas/atlasscratchdisk lrw /cepfs/grid/srr lr x xopsuser /cephfs/grid/ops a /cepfs/grid/srr lr x xwlcguser /cephfs/grid/wlcg a /cepfs/grid/srr lr x wlcgtknusr /cephfs/grid/wlcg a /cepfs/grid/srr lr x xhyperkprd /cephfs/grid/hyperk.org a /cepfs/grid/srr lr x xhyperkusr /cephfs/grid/hyperk.org/ lr /cepfs/grid/srr lr
notes
On server start up if the authdb is misconfigured xroot will most likely error and fail to get going.